This rule ensures that EBS snapshots are not set to be publicly restorable
Rule | EBS snapshots should not be publicly restorable |
Framework | FedRAMP Low Revision 4 |
Severity | ✔ Medium |
Rule Description:
According to the FedRAMP Low Revision 4 security requirements, Elastic Block Store (EBS) snapshots should not be publicly restorable. This rule helps protect sensitive data stored in AWS EBS snapshots from unauthorized access or exposure to the public.
Troubleshooting Steps:
If you encounter any issues or violations related to this rule, you can follow these troubleshooting steps:
Identify publicly restorable snapshots: Use AWS CLI or AWS Management Console to identify any publicly restorable EBS snapshots in your account.
Check snapshot permissions: Verify if any snapshots have their permissions set to allow public restoration.
Review access policies: Check the permissions and access policies of any EBS snapshots that are publicly restorable. Ensure that only authorized users or resources have access to these snapshots.
Audit snapshot creation process: Review the process for creating EBS snapshots to ensure that there are proper checks in place to prevent snapshots from being made publicly restorable unintentionally.
Review IAM policies: Make sure that the IAM policies associated with your AWS account or specific IAM roles do not allow the public restoration of EBS snapshots.
Necessary Codes:
There are no specific codes required for this rule. However, you can use the AWS CLI or SDKs to automate the process of identifying and fixing publicly restorable EBS snapshots.
Step-by-Step Guide for Remediation:
To remediate the issue of publicly restorable EBS snapshots, follow these steps:
Review existing snapshots: Use the AWS CLI or AWS Management Console to identify all the EBS snapshots in your account.
Verify permissions: Check the permissions of each snapshot to ensure that they are not publicly restorable. The following steps will guide you through checking and modifying the permissions:
a. Identify the snapshot you want to modify the permissions for.
b. Run the following AWS CLI command to get the current permissions of the snapshot:
aws ec2 describe-snapshot-attribute --snapshot-id <snapshot-id> --attribute createVolumePermission
Make a note of the output, which will include the current create volume permissions.
c. If the output includes a "Groups" entry with the value "all", it means the snapshot is publicly restorable. To remove public access, execute the following AWS CLI command:
aws ec2 modify-snapshot-attribute --snapshot-id <snapshot-id> --attribute createVolumePermission --group all --operation-type remove
d. Verify the permissions of the snapshot again using the previous describe-snapshot-attribute command to ensure that the public access has been removed successfully.
By following these steps, you will ensure that EBS snapshots are not publicly restorable, thus fulfilling the FedRAMP Low Revision 4 security requirement.